Introduction to Computer Security
NYU Paris

Welcome, Fall 2019 Students!

I believe that computer security is an exciting field that combines computer science, mathematics, global politics, but also a large dose of the human elements of intrigue, curiosity and thinking outside the box. I hope that by the end of this course, you too will develop an interest in what the world of computer security has to offer.

I strongly recommend that you bookmark this website for the duration of the course and that you visit it regularly.

See you in class,
—Professor Nadim Kobeissi

Course Description

Technology increasingly permeates every aspect of our lives, including communication, finance and health. The security of the computer systems that enable these services has become a critical issue. This course will cover basic principles of computer security and security engineering. It will introduce fundamental computer security concepts, principles, and techniques. It will also cover notions of real-world cryptography, the mathematical building blocks that underlie any digital security construction. This course will focus on security from an attacker's perspective (threat modeling) and the defender's perspective (building and deploying secure systems). Specific topics will include operating system security, network security, web security, applied cryptography, security economics and security psychology. Course projects will focus both on writing secure code and exploiting insecure code.

Course Goals

Upon completion of this course, students will be able to:

• Understand the principles of the cryptographic constructions underlying modern computer security.
• Acquire knowledge in important security topics such as operating system security, network security, web security, security economics and security psychology.
• Write secure code and exploit insecure code from an attacker’s perspective (threat modeling) and the defender’s perspective (building and deploying secure systems).

Prerequisites

CSCI-UA.0201 (Computer Systems Organization) and experience with web programming. Recommended prerequisite courses include CSCI-UA.0202 (Operating Systems), and CSCI-UA.04809-009 (Computer Networks).

Administrative Links

• Instructor: Professor Nadim Kobeissi (nk76@nyu.edu)
• Lectures: Mondays and Wednesdays, 4:00pm to 5:15pm. Room 4.06.
• Recitations: Mondays, 5:30pm to 7:00pm. Room 4.06.
• Term Dates: September 2, 2019 until December 13, 2019.
• Office Hours: Email me to make an appointment.
• Online Resources: Mailing List.

Syllabus and Course Schedule

→ A PDF copy of the Fall 2019 syllabus is available.

Part 0: Introduction and Threat Modeling

• 0.1: Introduction and Threat Modeling (slides)
  • Security Engineering, Chapter 1
  • Serious Cryptography, Chapter 1
  • An Introduction to Approachable Threat Modeling

Part 1: Cryptography

• 1.1: One-Way Functions and Hash Functions (slides)
  • Security Engineering, Chapter 3
  • Security Engineering, Chapter 6
• 1.2: Symmetric Key Encryption (slides)
  • Serious Cryptography, Chapters 3, 4, 5
• 1.3: Public Key Cryptography and Randomness (slides)
  • Serious Cryptography, Chapters 9, 11, 12, 2
• 1.4: Transport Layer Security (slides)
  • Serious Cryptography, Chapter 13
  • Let's Encrypt: How It Works
  • The New Illustrated TLS Connection
• 1.5: Usable Security and Secure Messaging (slides)
  • Security Engineering, Chapter 2
  • 15 Reasons not to Start Using PGP
  • State of Knowledge: Secure Messaging
  • Automated Verification for Secure Messaging Protocols and their Implementations: A Symbolic and Computational Approach
  • More is Less, On the End-to-End Security of Group Chats in Signal, WhatsApp and Threema
• 1.6: Modeling and Verifying Cryptographic Protocols (slides available after class)
  • Verifpal User Manual
• 1.7: Cryptocurrencies, Blockchains, Smart Contracts (slides)
  • Bitcoin and Cryptocurrency Technologies, Chapters 1, 2
  • The Idea of Smart Contracts
• 1.8: E-Voting and Other Modern Uses of Cryptography (slides)
  • E-Voting Crypto Protocols
  • The Remote Voting Minefield: from North Carolina to Switzerland

Part 2: Network Security

• 2.1: Networking Basics, IP, TCP and DNS (slides)
  • Security Engineering, Chapter 21
  • An Introduction to Computer Networks, Chapters 1, 22
  • An Introduction to Computer Networks, Chapter 7
  • How DNSSec Works
• 2.2: Denial of Service (slides)
  • Security Engineering, Chapter 21.2
  • Understanding the Mirai Botnet
  • How Netflix DDoSd Itself to Help Protect the Entire Internet
• 2.3: Designing Secure Network Systems (slides)
  • How does Apple (Privately) Find Your Offline Devices?
• 2.4: New Secure Protocols (slides)
  • Noise Explorer
• Midterm Exam

Part 3: Software Security

• 3.1: Understanding and Preventing Vulnerabilities (slides)
  • Software Security Knowledge Area
• 3.2: Control Flow Hijacking (slides by Cătălin Hriţcu, used with permission)
  • Security Engineering, Chapter 4.4
  • Low-level Software Security: Attacks and Defenses
• 3.3: Systems Security and Isolation (slides)
  • Security Engineering, Chapter 4.3
  • Security in Ordinary Operating Systems
  • Apple T2 Security Chip Overview
• 3.4: Mobile Security (slides and more slides by John Mitchell and Dan Boneh, used with permission)
  • iOS Security Guide
  • Android Security: 2017 Year In Review
  • Google Blog: Titan M Makes Pixel 3 our Most Secure Phone Yet
• 3.5: Meltdown and Spectre: Diving Into Hardware Vulnerabilities (slides)
  • Meltdown: Reading Kernel Memory from User Space
  • Spectre Attacks: Exploiting Speculative Execution
  • The Mysterious Case of the Linux Page Table Isolation Patches

Part 4: Web Security

• 4.1: Browser Security Model (slides)
  • OWASP Top 10 - 2017: The Ten Most Critical Web Application Security Risks
  • Browser Security Handbook, part 1
  • Browser Security Handbook, part 2
• 4.2: Web Application Security (slides by Alex Inführ, used with permission)
  • Introduction to Cross-Site Scripting
  • Password Storage Cheat Sheet
  • Why Don't we Follow Password Security Best Practices?
  • The unescape() Room
• 4.3: Hybrid Runtimes: Electron and Node.js (the reading is the slides)
  • Electron Security Checklist: A Guide for Developers and Auditors
• 4.4: Web Privacy (slides)
  • Tools from the EFF's Tech Team
  • Europe's New Privacy Law Will Change the Web, and More
• 4.5: Spam and Abuse (slides)
  • Click Trajectories: End-to-End Analysis of the Spam Value Chain

Part 5: Security and Society

• 5.1: Economics, Ethics and Law (slides available after class)
  • Security Engineering, Chapter 7.5
  • Vulnerability Reporting FAQ
• 5.2: Censorship and Mass Surveillance (slides available after class)
  • Security Engineering, Chapter 24.3
  • Project Bullrun: Dual EC DRBG
• Final Exam

Materials

Every lecture will be accompanied by outside readings that expand on what is discussed in class or present the same material in a different way. Neither the readings nor the lectures are a replacement for each other; deeply understanding the material will likely require attendance as well as reading. It is possible to read before or after class, depending on your learning style.

Aside from the textbooks and materials, students will also require their own personal computer for various parts of this course. Windows, Linux and Mac computers are all suitable.

Textbooks

• Serious Cryptography, No Starch Press, 2017. ISBN-13: 978-1593278267.
  • Jean-Philippe Aumasson.
  • Required. Pick up a copy from the NYU bookstore.
• Security Engineering, Wiley, 2008. ISBN-13: 978-0470068526.
  • Ross Anderson.
  • Required. Download a free copy from the link above.
• Verifpal User Manual, Symbolic Software, 2019. ISBN-13: 978-2322161294.
  • Nadim Kobeissi.
  • Required. Download a free copy from the link above.

Online Readings

• Kevin Riggle, An Introduction to Approachable Threat Modeling, Increment Magazine, 2018.
• Let's Encrypt, Let's Encrypt: How It Works, Linux Foundation, 2018.
• Paul C. Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS and Other Systems, Cryptography Research Inc., 1996.
• David Brumley and Dan Boneh, Remote Timing Attacks are Practical, USENIX Security Symposium, 2003.
• Karthikeyan Bhargavan and Gaëtan Leurent, Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH, Network and Distributed Systems Security Symposium, 2016.
• Karthikeyan Bhargavan and Gaëtan Leurent, On the Practical (In-)Security of 64-bit Block Ciphers, ACM Computer and Communications Security, 2016.
• David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin and Paul Zimmermann, Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, ACM Computer and Communications Security, 2015.
• Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar and Yuval Shavitt, DROWN: Breaking TLS using SSLv2, USENIX Security Symposium, 2016.
• Nik Unger, Sergei Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg and Matthew Smith, State of Knowledge: Secure Messaging, IEEE Symposium on Security and Privacy, 2015.
• SecuShare, 15 Reasons not to Start Using PGP.
• Nadim Kobeissi, Karthikeyan Bhargavan and Bruno Blanchet, Automated Verification for Secure Messaging Protocols and their Implementations: A Symbolic and Computational Approach, IEEE European Symposium on Security and Privacy, 2017.
• Paul Rösler, Christina Mainka and Jörg Schwenk, More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema, IEEE European Symposium on Security and Privacy, 2018.
• Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller and Steven Goldfeder, Bitcoin and Cryptocurrency Technologies, Princeton University Press, 2016.
• Nick Szabo, The Idea of Smart Contracts, University of Amsterdam, 1997.
• Jean-Philippe Aumasson, E-Voting Crypto Protocols, Kudelski Security, 2018.
• Bryan Ford, The Remote Voting Minefield: from North Carolina to Switzerland, EPFL, 2019.
• Peter L. Dordal, An Introduction to Computer Networks, Loyola University Chicago, 2018.
• Matthew Green, How Does Apple (Privately) Find Your Offline Devices?, CryptographyEngineering.com, 2019
• Nadim Kobeissi, An Analysis of the ProtonMail Cryptographic Architecture, IACR ePrint Archive, 2018.
• Cloudflare, How DNSSEC Works.
• Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas and Yi Zhou, Understanding the Mirai Botnet, USENIX Security Symposium, 2017.
• Lily Hay Newman, How Netflix DDoS'd Itself to Help Protect the Entire Internet, WIRED Magazine, 2017.
• Stanford University Applied Cryptography Group, Security in Ordinary Operating Systems, Stanford University.
• Apple Inc., iOS Security Guide, Apple Inc., 2018.
• Apple Inc., Apple T2 Security Chip Overview, Apple Inc., 2018.
• Android Team, Android Security: 2017 Year in Review, Google Inc., 2018.
• Xiaowen Xin, Google Blog: Titan M Makes Pixel 3 our Most Secure Phone Yet, Google Inc., 2018.
• Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom and Mike Hamburg, Meltdown: Reading Kernel Memory from User Space, USENIX Security Symposium, 2018.
• Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz and Yuval Yarom, Spectre Attacks: Exploiting Speculative Execution, IEEE Symposium on Security and Privacy, 2019.
• "dw", The Mysterious Case of the Linux Page Table Isolation Patches, sweetness.hmmz.org.
• Frank Piessens, Software Security Knowledge Area, University of Bristol Cyber Security Group, 2018.
• Úlfar Erlingsson, Low-level Software Security: Attacks and Defenses, Microsoft Research and Reykjavík University, 2007.
• OWASP, Password Storage Cheat Sheet, OWASP, 2018.
• Emily Cain, Why Don't we Follow Password Security Best Practices?, Increment Magazine, 2018.
• Luca Carettoni, Electron Security Checklist: A Guide for Developers and Auditors, Doyensec, 2017.
• EFF Tech Team, Tools from the EFF's Tech Team, Electronic Frontier Foundation, 2018.
• Nitasha Tiku, Europe's New Privacy Law Will Change the Web, and More, WIRED Magazine, 2018.
• OWASP, OWASP Top 10 - 2017: The Ten Most Critical Web Application Security Risks, OWASP, 2017.
• Google Application Security, Introduction to Cross-Site Scripting, Google Inc.
• Michal Zalewski, Browser Security Handbook, part 1, Google Inc., 2009.
• Michal Zalewski, Browser Security Handbook, part 2, Google Inc., 2009.
• Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, Márk Félegyházi, Chris Grier, Tristan Halvorson, Chris Kanich, Christian Kreibich, He Liu, Damon McCoy, Nicholas Weaver, Vern Paxson, Geoffrey M. Voelker, Stefan Savage, Click Trajectories: End-to-End Analysis of the Spam Value Chain, IEEE Symposium on Security and Privacy, 2011.
• Kurt Thomas, Danny Yuxing Huang, David Wang, Elie Bursztein, Chris Grier, Thomas J. Holt, Christopher Kruegel, Damon McCoy, Stefan Savage, Giovanni Vigna, Framing Dependencies Introduced by Underground Commoditization, Workshop on the Economics of Information Security, 2015.
• Coder's Rights Project, Vulnerability Reporting FAQ, Electronic Frontier Foundation.
• Daniel J. Bernstein, Tanja Lange, Ruben Niederhagen, Project Bullrun: Dual EC DRBG, Projectbullrun.org, 2015.

Interactive Learning Tools

• The New Illustrated TLS Connection: Every byte of a TLS connection explained and reproduced.
• Verifpal: Cryptographic protocol analysis for students and engineers.
• Noise Explorer: an online engine for reasoning about Noise Protocol Framework Handshake Patterns.
• The unescape() Room: Cross-Site Scripting (XSS) challenges.

Assignments

Problem Sets are scheduled evenly throughout the course to help you assess your understanding of the material thus far. Recitations give you chances to get real-world experience in designing and breaking digital security systems.

Problem Sets

• Problem Set 1 - due October 2 before class.
• Problem Set 2 - due November 13 before class.
• Problem Set 3 - due November 27 before class.

Recitation Example 1: Designing and Breaking Cryptographic Protocols

Designing your own secure messaging protocol is a challenging task, full of opportunities to learn and experiment. Your professor will be working closely with you to help you determine how such systems can be constructed. Then, it's time for you to jump to the other side and try to break the systems designed by your peers!

Part 1: Designing Your Own Secure Messaging Protocol

In this first practical assignment, you will have the exciting opportunity to design your very own secure messaging protocol. Your protocol must offer end-to-end encryption between two principals, Alice and Bob, while guaranteeing:

• Secrecy: A message sent between Alice and Bob can only be decrypted between these principals.
• Authenticity: If Alice receive an apparently valid message from Bob, then Bob must have sent this message to Alice.
• Replay attack resistance: If Alice receives a valid message from Bob, the attacker cannot replay that same ciphertext to Alice at a later time.

Additionally, your protocol could also include the following optional properties:

• Indistinguishability: If Alice randomly chooses between two messages of the same size and sends only one to Bob, an attacker cannot determine which message was sent.
• Forward secrecy: If Alice sends a message to Bob and Alice's key state at the time of this message is subsequently compromised, all previous messages retain their Secrecy property.
• Future secrecy: If Alice sends a first message to Bob, receives a reply from Bob, and then sends a second message to Bob, Alice's second message remains secret even if her key state for the first message is compromised.

Part 2: Finding Weaknesses in Secure Messaging Protocols

In the second stage of this practical assignment, submitted secure messaging protocols will be anonymized, shuffled and then reviewed by your peers. You too will review a peer's protocol and try to find weaknesses, bugs or outright breaks.

Part 3: Understanding the General Practice of Implementing Cryptographic Protocols

In the final stage of this practical assignment, we will choose a proposed secure messaging protocol and discuss its implementation. What are the elements we must consider when turning this protocol into code? How do we design the API? How do we manage the protocol's internal state?

The final result of your participation in all three parts will be a hands-on experience in designing, breaking, and planning the software architecture of secure messaging protocols and systems.

Recitation Example 2: Hunting for Bugs in Web Applications

Despite the fact that today's web applications are indispensable in our daily lives, many different kinds of bugs, errors and weaknesses can exist in their programming. In this practical assignment, you will audit a web application written specifically for this class and attempt to find and exploit five different bugs representing each of the types described above. Successfully exploiting all five bugs will grant you a perfect score.

Here are just a few different types of bugs that occur in web applications:

• Cross-site scripting (XSS): a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
• Cross-site request forgery (XSRF): an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.
• Bad cryptography: a web application could use insufficient or outdated cryptographic constructions in order to protect user data. This can lead to passive attackers obtaining privileged information out of publicly available tokens.
• Flawed authentication logic: a web application could neglect to impose restrictions on its login pages, which could lead to forced authentication through anything from brute force to crafting invalid input values that force the application to authenticate the user.
• Injection: while XSS is a form of client-side injection, there also exist "server-side" injections that could permanently alter a web application's database, resulting in more severe consequences that could range from permanent database corruption to permanent alterations of key web application code or content.

Academic Honesty

At NYU, a commitment to excellence, fairness, honesty, and respect within and outside the classroom is essential to maintaining the integrity of our community. Plagiarism is defined as presenting others' work without adequate acknowledgement of its source, as though it were one’s own.  Plagiarism is a form of fraud.  We all stand on the shoulders of others, and we must give credit to the creators of the works that we incorporate into products that we call our own. Some examples of plagiarism:

• A sequence of words incorporated without quotation marks or an unacknowledged passage paraphrased from another's work.
• The use of ideas, sound recordings, computer data or images created by others as though it were one’s own.
• Submitting evaluations of group members’ work for an assigned group project which misrepresent the work that was performed by another group member.
• Altering or forging academic documents, including but not limited to admissions materials, academic records, grade reports, add/drop forms, course registration forms, etc.

Furthermore, my courses have a zero tolerance policy for cheating. Any instance of cheating will result in an immediate, non-negotiable grade of 0 on the pertinent assignment and a report to the university faculty:

• Your code has to be your own. No copying code (or rewriting it line by line based on someone else's code) will be tolerated.
• Any sharing of any answers on any assignment is considered cheating.
• Coaching another student by helping them writing their answers line by line is also cheating.
• Copying answers or code from the Internet or hiring someone to write your answers for you is cheating.

Explaining how to use systems or tools and helping others with high-level design issues is not cheating.

For further information, students are encouraged to check NYU's Academic Integrity Policy.